Location based licensing

ABSTRACT

The present invention provides a method and system for location-based digital rights management. Digital rights for protected content are restricted to a specific location or region by specifying the approved location of the consuming device within the license. This allows the content owner to specify the geographic locations/regions at which the protected content may be consumed. The device obtains its location from a location entity which is then evaluated against the location constraint within the license. If the device is within the location constraint then the content may be accessed. Acquiring the location of the device before allowing access to certain content helps in preventing a user from accessing a protected document in an area which is considered a prohibited location as defined within the license.

BACKGROUND OF THE INVENTION

Digital Rights Management aids in protecting and securely deliveringcontent for use on a computer, portable device, or network device.Content owners lock their content with a key such that when a useracquires the locked content it can not be used without the useracquiring the key. To obtain the key, the user obtains a license fromthe licensing authority and stores the license on their device. Once thekey is obtained, the content may be accessed on the users deviceaccording to the rule or rights that are specified in the license.Licenses include additional restrictions on rights including items suchas: start times and dates, duration, and number of times a right can beexercised. For instance, the rights in a license may allow the consumerto access the content on a specific computer and copy the content to aportable device.

SUMMARY OF THE INVENTION

The present invention is directed at providing a method and system forproviding location-based digital rights management.

According to one aspect of the invention, digital rights for protectedcontent are restricted to a specific location or region by specifyingthe approved location of the consuming device within the license. Thisallows the content owner to specify the geographic locations/regions atwhich the protected content may be consumed.

According to another aspect of the invention, the device obtains itslocation from a location entity which is then evaluated against thelocation constraint within the license. If the device is within thelocation constraint then the content may be accessed. Acquiring thelocation of the device before allowing access to certain content helpsin preventing a user from accessing a protected document in an areawhich is considered a prohibited location as defined within the license.For instance, the location constraint may be set such that a user cannot access a sensitive company-confidential document in the vicinity ofa competitor's office.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1 and 2 illustrate an exemplary computing devices that may be usedin exemplary embodiments of the present invention;

FIG. 3 is a functional block diagram generally illustrating a locationbased digital rights management system;

FIG. 4 illustrates the interaction between the DRM blackbox on a mobiledevice and network-based location entity; and

FIG. 5 shows a process for accessing location-constrained content whilea device is moving, in accordance with aspects of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Generally, the present invention is directed at providing a method andsystem for providing location-based digital rights management.

Illustrative System

FIG. 3 is a functional block diagram generally illustrating a locationbased digital rights management system, in accordance with aspects ofthe invention. Activation server 310, license server 320, content server330, location server 340, and computing device 350 are computing devicessuch as the one described in conjunction with FIG. 1. Mobile device 360is a mobile computing device such as the one described in conjunctionwith FIG. 2.

As illustrated, a user may attempt to access protected content obtainedfrom content server 330 on computing device 350 and mobile device 360.Generally, DRM (Digital Rights Management) blackbox 355 residing oncomputing device 350 and DRM blackbox 365 residing on mobile computingdevice 360 are configured to restrict access to content based on alocation constraint. The DRM blackboxes are configured to enforce theDRM licenses issued by license server 320. The DRM licenses may includelocation constraints relating to one or more rights associated with thecontent. According to one embodiment, the digital rights for content arerestricted to a specific location or region by specifying the approvedlocation of the consuming device within the license. This allows thecontent owner to specify the geographic locations/regions at which theprotected content may be consumed. The location constraints may beexpressed in a variety of ways. For example, location constraints can beexpressed using arbitrary polygons, postal codes, geographic entitynames (city, metro areas, county, state, country, territory, etc.), andthe like.

The blackbox is configured to perform many different operationsincluding examining the license associated with the content andexamining the location constraints within the license. Blackbox 355 and365 maintain a secure connection with location entity 340.

When a user attempts to exercise a location-constrained right for theprotected content, the DRM blackbox on the user's device (355, 365)sends a request to the trusted location entity (340) to verify if thedevice satisfies the location-constraint for the right that has beenrequested. According to one embodiment, the request contains the DRMblackbox's public-key certificate and is signed with the DRM blackbox'sprivate key. This public-key/private-key information allows locationentity 340 to verify that the request is being made by a trusted DRMblackbox.

According to one embodiment of the invention, the device mayperiodically check with location entity 340 to determine if the devicehas moved out of or into the approved geographic area as specified inthe location constraint. Acquiring the location of the device helps inpreventing a user from accessing a protected document in an area whichis considered a prohibited location as defined within the license. Forinstance, the location constraint may be set such that a user can accessa company document while the device is within one of its campuses butnot be able to access the document when the device is outside of itscampuses.

DRM blackboxes 355 and 365 are also configured to communicate with theservers regarding activating, licensing, obtaining content, anddetermining the device's location. Blackboxes 355 and 365 maycommunicate using any one of several client-server protocols.

If trusted location entity 340 determines that the location constraintis satisfied, the DRM blackbox allows the right to the content to beexercised on the device. Otherwise, it blocks the user from exercisingthe right.

Cellular/pager network 390 is a network responsible for deliveringmessages to and receiving messages from wireless devices. Cellular/pagernetwork 390 may include both wireless and wired components. For example,cellular/pager network 390 may include a cellular tower that is linkedto a wired telephone network. Typically, the cellular tower carriescommunication to and from cell phones, long-distance communicationlinks, and the like.

Gateway 380 routes messages between cellular/pager network 390 andWAN/LAN 370. For example, a computer user may send a message that isaddressed to a cellular phone. Gateway 380 provides a means fortransporting the message from the WAN/LAN 370 to cellular/pager network390. Conversely, a user with a device connected to a cellular networkmay be browsing the Web. Gateway 380 allows hyperlink text protocol(HTTP) messages to be transferred between WAN/LAN 370 and cellular/pagernetwork 390.

Activation server 310 is configured to provide devices with unique blackboxes and machine/user certificates which provide each device with aunique identity.

License server 320 is configured to store and provide the licenses andtheir associated rights to devices that are authenticated to receive thelicense. The content owner specifies the location constraints in the DRMlicense for the protected content.

Content server 330 is configured to store and provide content that maybe location-constrained to the devices. The content may include theinformation necessary for the device to obtain a license from licenseserver 320 to access the content.

A DRM blackbox is installed on a device, such as computing device 350 ormobile device 360, before any protected content can be accessed on thedevice. The existing techniques for creating a unique blackbox based onthe hardware characteristics of a PC can be used for mobile devices.Mobile devices, such as mobile phones, however, differ from PCs andother computing devices in that they have a unique hardware identifierand mobile operators use this unique identifier to authenticate phoneson their network. For example, the IMSI (International Mobile SubscriberIdentity) number serves as the unique identifier for GSM phones on anoperator's network. The ESN (Electronic Serial Number) serves as theunique identifier for CDMA phones. The ESN number is a unique numberthat is hardwired into the phone at manufacturing time. The IMSI numberis contained in the SIM (Subscriber Identity Module). The SIM is acryptographically secure smartcard without which a GSM phone is notallowed on a mobile network. This unique number may be used in creatingDRM blackbox 365 and storing this unique number in the machinecertificate of the blackbox. Each time DRM blackbox 365 is called itverifies that the unique identifier in its machine certificate matchesthe unique identifier for the mobile device. If this check fails, DRMblackbox 365 refuses to grant any rights. Once the blackbox isinstalled, the device is ready to consume protected content.

Location entity 340 is configured to provide location information to thedevices. According to one embodiment, location server 340 communicateswith the mobile operator using secure links over which requests forlocation can be sent and responses received. According to oneembodiment, location entity 340 evaluates location constraints.According to one embodiment, an external service, such as Microsoft'sMapPoint service may be used by location entity 340 to determine whethera coordinate satisfies a location constraint. Many methods may be usedto evaluate the location constraint as long as the evaluations aresecure against tampering and spoofing.

According to one embodiment, location entity server 340 may communicatewith a mobile carrier to determine where a mobile device is located.Most mobile-phone networks know the approximate location of the mobiledevices on their network. The mobile network knows the cell-tower whichis currently handling the device and can provide the latitude andlongitude for the cell tower. Further, mobile networks in USA areimplementing more accurate location technologies such as Assisted GPS(A-GPS), Time Difference of Arrival (TDOA), Enhanced Observed TimeDifference (EOTD) etc., to comply with FCC's E-911 mandate. Thesetechnologies typically allow a mobile device's location to be quicklydetermined with a high-degree of accuracy (100-300 m accuracy within5-10 seconds). Furthermore, with the exception of A-GPS, thesetechnologies do not require any modifications to the existing mobilephones.

Interaction Between DRM Blackbox and Location Entity

FIG. 4 illustrates the interaction between the DRM blackbox on a mobiledevice and network-based location entity, in accordance with aspects ofthe invention.

When the user attempts to access content that is restricted by alocation constraint, DRM blackbox 440 receives a request for alocation-constrained right. For example, a media player may ask to playa media file that is location-constrained. Upon receiving the request,DRM blackbox 440 creates a location request for location entity 410.According to one embodiment, the location request contains: thelocation-constraint for the requested right as specified in the DRMlicense for the protected content; the device's unique identifier(IMSI/ESN number)contained in the blackbox's machine certificate; and arandom number to aid in preventing capture and replay attacks. Theblackbox signs the request with its private key.

Blackbox 440 then obtains the address of network-based location entity410. This address may be present in the DRM license, in a DRM-specificconfiguration file, provided by the user, or stored elsewhere on device440. Once the address of location entity 410 is obtained, blackbox 440sends the location constrain request to network-based location entity410 over a secure channel.

According to one embodiment, location entity 410 uses the IMSI/ESNnumbers to determine the mobile operator for the requesting device. Whenthe location constraint specifies a list of mobile operators, entity 410verifies that the mobile operator is allowed by the location constraint.Entity 410 then sends a location request that includes the uniqueidentifier of the device to mobile operator 420 asking for the currentlocation of the requesting device.

Mobile operator 420 determines the latitude and longitude for the devicebearing the unique identifier and sends it back to location entity 410.If mobile operator 420 can't locate the device, an error is returned tolocation entity 410.

If entity 410 receives an error from mobile operator 420, entity 410returns an error to DRM blackbox 440, and the blackbox does not grantthe requested right.

If entity 410 receives a latitude and longitude from mobile operator420, it uses this location information to evaluate the locationconstraint. According to another embodiment, the evaluation of theconstraint may be performed at another location. For example, theevaluation may be performed on device 430, mobile operator 420, or someother trusted device. Once the evaluation is complete, entity 410attaches the result of the evaluation, which is TRUE/FALSE according toone embodiment, to the original location request sent by blackbox 440,and signs the resulting message with its private key. It also attachesits own public-key certificate to the signed message, and sends it toblackbox 440. In order to help ensure integrity of the keys, theentity's public key is certified by a root that is trusted by the DRMblackbox.

Upon receiving the response, DRM blackbox 440 verifies that theevaluation result response contains its original request and that theresponse is signed by a trusted entity. According to one embodiment, DRMblackbox verifies the entity's signature on the response and verifiesthe entity's public-key certificate.

If the verifications are successful and the entity has evaluated theconstraint to be TRUE, then the blackbox allows the requested right anddecrypts the protected content. Otherwise, the requested right isdenied.

The DRM blackbox can use a variety of techniques such as codeobfuscation, tamper-proof code segments, using machine code, and thelike to prevent a malicious user from “feeding” it a unique identifierthat is different from the actual unique identifier of the mobile phoneHowever, if a user can somehow change the unique identifier on hisdevice, then it is possible to break the security. Suppose that the userhas two phones: A and B. He somehow changes the unique identifier of Bso that it is the same as A. He now installs a DRM blackbox on B, anddownloads protected content and licenses on B. The user leaves A in an“allowed” location and travels to a “prohibited” location with B. Heswitches off the radio stack on B, tethers it to a PC, and uses the PC'sInternet connection to send a request to the location entity. Note thatthis request has A's unique identifier. Since only A is on theoperator's network, the operator will return A's location, and the userwill be able to access protected content on B in a “prohibited”location. This type of attack can be blocked by having the DRM blackboxcheck if the radio stack has been turned off or the phone is tethered.If either of these is true, the blackbox refuses alllocation-constrained rights.

Accessing Location-Constrained Content While Moving

FIG. 5 shows a process for accessing location-constrained content whilea device is moving, in accordance with aspects of the present invention.After a start block, the process moves to block 510 where an applicationattempts to exercise a location constrained right. Moving to decisionblock 520, a determination is made as to whether a valid evaluation ofthe constraint exists. According to one embodiment, a blackbox makesthis determination. When a valid evaluation of the constraint exists,the process moves to block 530 where the right is granted or denieddepending on the results of the evaluation. The process then moves to anend block.

When a valid evaluation does not exist, the process flows to block 540where the location constraint is submitted to a location entity. Movingto block 550, the location of the device is determined and theconstraint is evaluated. The process then returns to decision block 520.

According to one embodiment, the evaluation of the constraint may onlybe valid for a period of time. When the period has expired, the locationconstraint is resubmitted for evaluation. The time period can be setmany different ways. For example, the time period may be specified inthe location constraint or randomly selected by the blackbox. Theblackbox can deny the right (i.e. stop decrypting any more content) iflocation entity returns FALSE or failure.

A “valid until” or “time period of validity” value may also be added tothe response sent to the blackbox. The blackbox can then grant the rightto the content within the validity period and resubmit the locationconstraint at the end of the validity period. The location entity canalso determine the desired time period by sending at least two locationrequests to the mobile operator within a short period of time toestimate the mobile device's speed and direction of travel. Generally,the larger the distance to a location constraint, the larger the timeperiod may be set.

Exemplary Location Constraints

According to one embodiment of the invention, constraints are specifiedin an XML notation. Other ways of specifying the location constraintsmay be used. Several sample constraints are provided in this section butno attempt is made to be exhaustive. Our solution does not require theuse of any specific language/notation for specifying locationconstraints. Any formal language that can be evaluated by a computerwithout any ambiguity will work for expressing location constraints.Some examples include: XML; XrML; Boolean expressions; First-orderpredicate calculus; Scripting languages such as VBScript, JavaScript,etc.; Programming Languages such as Visual Basic, C#, Java, C++, etc.

The following exemplary constraint allows the PLAY right to be exercisedwithin a radius of 1000 meters around latitude=30N and longitude=50 W orwithin the area covered by zip code=98075. <RIGHT> PLAY </RIGHT><LOCATION> <ALLOW> <CIRCLE> <LATITUDE> 30N </LATITUDE> <LONGITUDE> 50W</LONGITUDE> <RADIUS> 1000 </RADIUS> </CIRCLE> <ZIPCODE> 98075</ZIPCODE> </ALLOW> </LOCATION>

The following constraint blocks the PLAY right in King County, Wash.<RIGHT> PLAY </RIGHT> <LOCATION> <BLOCK> <COUNTY> KING </COUNTY> <STATE>WA </STATE> <COUNTRY> USA </COUNTRY> </BLOCK> </LOCATION>

The following constraint only allows location data from OPERATOR1 andOPERATOR2 mobile operators (the content owner only trusts theseoperators to provide accurate location), and allows the PLAY right inareas covered by zip codes 98075 and 98052. <RIGHT> PLAY </RIGHT><LOCATION> <ALLOW> <ZIPCODE> 98075 </ZIPCODE> <ZIPCODE> 98052 </ZIPCODE></ALLOW> <MOBILEOPERATORLIST> <ALLOW> <OPERATOR>OPERATOR1</OPERATOR><OPERATOR> OPERATOR2</OPERATOR> <ALLOW> </MOBILEOPERATORLIST></LOCATION>

The following constraint only does not allow location data fromFLYBYNIGHT mobile operators (the content owner does not trust thisoperators to provide accurate location). <RIGHT> PLAY </RIGHT><LOCATION> <ALLOW> <ZIPCODE> 98075 </ZIPCODE> <ZIPCODE> 98052 </ZIPCODE></ALLOW> <MOBILEOPERATORLIST> <BLOCK> <OPERATOR>FLYBYNIGHT</OPERATOR></BLOCK> </MOBILEOPERATORLIST> </LOCATION>Illustrative Operating Environment

With reference to FIG. 1, one exemplary system for implementing theinvention includes a computing device, such as computing device 100. Ina very basic configuration, computing device 100 typically includes atleast one processing unit 102 and system memory 104. Depending on theexact configuration and type of computing device, system memory 104 maybe volatile (such as RAM), non-volatile (such as ROM, flash memory,etc.) or some combination of the two. System memory 104 typicallyincludes an operating system 105, one or more applications 106, and mayinclude program data 107. In one embodiment, application 106 may includeblackbox 120. This basic configuration is illustrated in FIG. 1 by thosecomponents within dashed line 108.

Computing device 100 may have additional features or functionality. Forexample, computing device 100 may also include additional data storagedevices (removable and/or non-removable) such as, for example, magneticdisks, optical disks, or tape. Such additional storage is illustrated inFIG. 1 by removable storage 109 and non-removable storage 110. Computerstorage media may include volatile and nonvolatile, removable andnon-removable media implemented in any method or technology for storageof information, such as computer readable instructions, data structures,program modules, or other data. System memory 104, removable storage 109and non-removable storage 1 10 are all examples of computer storagemedia. Computer storage media includes, but is not limited to, RAM, ROM,EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD) or other optical storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can be accessed by computing device 100. Any such computerstorage media may be part of device 100. Computing device 100 may alsohave input device(s) 112 such as keyboard, mouse, pen, voice inputdevice, touch input device, etc. Output device(s) 114 such as a display,speakers, printer, etc. may also be included.

Computing device 100 may also contain communication connections 1 16that allow the device to communicate with other computing devices 1 18,such as over a network. Communication connection 116 is one example ofcommunication media. Communication media may typically be embodied bycomputer readable instructions, data structures, program modules, orother data in a modulated data signal, such as a carrier wave or othertransport mechanism, and includes any information delivery media. Theterm “modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as a wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. The term computer readable media as used herein includesboth storage media and communication media.

FIG. 2 illustrates a mobile computing device that may be used in oneexemplary embodiment of the present invention. With reference to FIG. 2,one exemplary system for implementing the invention includes a mobilecomputing device, such as mobile computing device 200. Mobile computingdevice 200 includes processor 260, memory 262, display 228, and keypad232. Memory 262 generally includes both volatile memory (e.g., RAM) andnon-volatile memory (e.g., ROM, Flash Memory, or the like). Mobilecomputing device 200 includes operating system 264, such as the WindowsCE operating system from Microsoft Corporation, or another operatingsystem, which is resident in memory 262 and executes on processor 260.Keypad 232 may be a push button numeric dialing pad (such as on atypical telephone), a multi-key keyboard (such as a conventionalkeyboard). Display 228 may be a liquid crystal display, or any othertype of display commonly used in mobile computing devices. Display 228may be touch-sensitive, and would then also act as an input device.

One or more application programs 266 are loaded into memory 262 and runon the operating system 264. A blackbox resides on mobile computingdevice 200 and is programmed to perform instructions relating toenforcing location constraints associated with DRM licenses. Mobilecomputing device 200 also includes non-volatile storage 268 withinmemory 262. Non-volatile storage 268 may be used to store persistentinformation which should not be lost if mobile computing device 200 ispowered down.

Mobile computing device 200 includes power supply 270, which may beimplemented as one or more batteries. Power supply 270 might furtherinclude an external power source, such as an AC adapter or a powereddocking cradle that supplements or recharges the batteries.

Mobile computing device 200 is shown with two types of optional externalnotification mechanisms: LED 240 and audio interface 274. These devicesmay be directly coupled to power supply 270 so that when activated, theyremain on for a duration dictated by the notification mechanism eventhough processor 260 and other components might shut down to conservebattery power. Audio interface 274 is used to provide audible signals toand receive audible signals from the user. For example, audio interface274 may be coupled to a speaker for providing audible output and to amicrophone for receiving audible input, such as to facilitate atelephone conversation.

Mobile computing device 200 also includes communications connection(s),such as a wireless interface layer, that performs the function oftransmitting and receiving communications. Communications connection 272facilitates wireless connectivity between the mobile computing device200 and the outside world. According to one embodiment, transmissions toand from communications connection 272 are conducted under control ofthe operating system 264.

The above specification, examples and data provide a completedescription of the manufacture and use of the composition of theinvention. Since many embodiments of the invention can be made withoutdeparting from the spirit and scope of the invention, the inventionresides in the claims hereinafter appended.

1. A method for providing location based digital rights management forcontent accessed on a device, comprising: determining if a locationconstraint exists for a requested right made by the device; determininga trusted location determining entity; acquiring a location of thedevice from the trusted location entity; evaluating the location of thedevice against the location constraint; and blocking or allowing accessto the content based on the evaluation.
 2. The method of claim 1,wherein acquiring the location of the device from the trusted locationentity further comprises using a secure connection between the deviceand the trusted location entity.
 3. The method of claim 1, whereinevaluating the location of the device against the location constraint isperformed remotely from the device.
 4. The method of claim 1, whereinevaluating the location of the device against the location constraint isperformed locally on the device.
 5. The method of claim 1, furthercomprising acquiring the location of the device and evaluating thelocation of the device against the location constraint when the deviceis moving.
 6. The method of claim 1, wherein the location constraint isexpressed using at least one of: a geometric description, postal codesand geographic entity names.
 7. The method of claim 1, wherein acquiringthe location of the device comprises determining at least one of: alatitude and longitude of the device; a spherical coordinate of thedevice; and a geographic entity name in which the device is located. 8.A system for providing location based digital rights management forcontent, comprising: a device including: a blackbox operative to performactions, including: determining if a location constraint exists for arequested right associated with the content; sending a request for alocation of the device to a trusted location entity; and blocking orallowing access to the content based on an evaluation of the location ofthe device against the location constraint; and wherein the locationentity is operative to perform actions, including: receiving the requestfor the location of the device; and determining the location of thedevice.
 9. The system of claim 8, wherein the location entity is furtherconfigured to evaluate the location of the device against the locationconstraint to determine whether the content may be accessed by thedevice.
 10. The system of claim 8, wherein the location entity isfurther configured to communicate securely with the device.
 11. Thesystem of claim 8, wherein the location constraint specifies trustedmobile networks.
 12. The system of claim 8, wherein the location entityis a trusted mobile network.
 13. The system of claim 8, wherein thedevice further comprises a radio stack, and wherein the blackbox isfurther configured to refuse any location constrained rights when atleast one of the following conditions occurs: when the radio stack hasbeen turned off and when the device is tethered.
 14. The system of claim8, wherein blocking or allowing access to the content based on theevaluation of the location of the device against the location constraintfurther comprises receiving the location from the location entity andevaluating the location against the location constraint.
 15. The systemof claim 8, wherein the device is further configured to send the requestfor the location when the device is moving.
 16. The system of claim 15,wherein the location constraint specifies a frequency of locationrequests.
 17. The system of claim 15, wherein the location entity isfurther configured to specify a frequency of location requests.
 18. Thesystem of claim 17, wherein the device further includes a IMSI/ESNidentifier that is used to uniquely identify the device.
 19. The systemof claim 8, wherein the location constraint is expressed using at leastone of: a geometric description, postal codes and geographic entitynames.
 20. A computer-readable medium having computer-executableinstructions for providing location based digital rights management forcontent accessed on a device, comprising: determining if a locationconstraint exists for a requested right associated with the content;acquiring a location of the device from a trusted location entity; andblocking or allowing access to the content based on an evaluation of thelocation of the device against the location constraint.
 21. Thecomputer-readable medium of claim 20, wherein acquiring the location ofthe device from the trusted location entity further comprises using asecure connection between the device and the trusted location entity.22. The computer-readable medium of claim 20, further comprisingacquiring the location of the device and evaluating the location of thedevice against the location constraint when the device is moving. 23.The computer-readable medium of claim 20, wherein the locationconstraint is expressed using at least one of: geometric description,postal codes and geographic entity names.
 24. The computer-readablemedium of claim 20, wherein the location constraint is expressed usingat least one of the following languages: XML; XrML; Boolean expressions;first-order predicate calculus; scripting languages; and a formalprogramming language.
 25. The computer-readable medium of claim 20,wherein acquiring the location of the device comprises determining atleast one of: a latitude and longitude of the device; a sphericalcoordinate of the device; and a geographic entity name in which thedevice is located.